passwordcheck

A newer version of this documentation is available. Click here to view the most up-to-date release of the Greenplum 5.x documentation.

passwordcheck

The passwordcheck module checks users' passwords whenever they are set with
CREATE ROLE or ALTER ROLE. If a password is considered too
weak, it will be rejected and the command will terminate with an error.

To enable this module, add '$libdir/passwordcheck' to
shared_preload_libraries in postgresql.conf, then
restart the server.

By default, this module enforces a few simple rules for password strength, which you can
modify or extend as you see fit. It is also possible to adapt this module to your needs by
modifying the Makefile and rebuilding the module.

CAUTION:

To prevent unencrypted passwords from being sent across
the network, written to the server log, or otherwise stolen by a database administrator,
Greenplum Database enables you to supply pre-encrypted passwords. Many client programs make
use of this functionality and encrypt the password before sending it to the server.This
limits the usefulness of the passwordcheck module, because in that case it
can only try to guess the password. For this reason, passwordcheck is not
recommended if your security requirements are high. It is more secure to use an external
authentication method such as Kerberos than to rely on passwords within the database.
Alternatively, you could modify passwordcheck to reject pre-encrypted
passwords, but forcing users to set their passwords in clear text carries its own security
risks.